With the rapid deployment of electronic commerce and communications globally, the security of electronic transactions and records has become a pivotal concern. With the proliferation of phishing, pharming and other fraudulent acts over the Internet, it has become more and more difficult to verify the authenticity of a party to an e-commerce transaction.
Phishing and pharming are acts of attempting to fraudulently acquire sensitive information, such as passwords, account information and credit card details, by masquerading as a trustworthy person or business with a real need for such information. In phishing, a fraudster sends an email to a user, requesting that the user click on a link in the email that directs the user to enter sensitive information on the ensuing web site. Because the links and web sites are usually near exact copies of valid websites of well-known companies, such as large banks or eBay, the user is fooled into thinking the websites are legitimate and hence secure. Estimated losses from phishing now ranges in the billions of dollars.
Pharming refers to the redirection of an individual to an illegitimate web site through technical means. Pharming is the exploitation of a vulnerability in the DNS server software that allows a hacker to acquire the Domain Name for a site, and to redirect traffic to that website to another website. DNS servers are the giant computers that “run” the Internet. For example, an Internet banking customer, who routinely logs in to his online banking Web site, may be redirected to an illegitimate Web instead of accessing his or her bank's Web site. Pharming can occur in four different ways: (1) Static domain name spoofing where the “pharmer” attempts to take advantage of slight misspellings in domain names to trick users into inadvertently visiting the pharmer's Web site; (2) Malicious software where viruses and “trojans” (latent malicious code or devices that secretly capture data) on a consumer's personal computer may intercept the user's request to visit a particular site and redirect the user to the site that the pharmer has set up; (3) domain hijacking, where a hacker may steal or hijack a company's legitimate Web site via domain slamming or domain expiration, allowing the hacker to redirect all legitimate Internet traffic to an illegitimate site; and (4) DNS poisoning, one of the most dangerous instances of pharming. Local DNS servers can be “poisoned” to send users to a Web site other than the one that was requested. This poisoning can occur as a result of misconfiguration, network vulnerabilities or Malware installed on the server.
Both phishing and pharming lead unsuspecting customers to give up valuable personal and financial information. U.S. companies lose more than $2 billion annually as their clients fall victim. The methods for preventing phishing and pharming attacks include client-side, server-side, and enterprise level measures.
On the client-side, current methods for eliminating phishing and the risks posed by phishing include desktop protection measures, email controls, browser controls, and general end user vigilance. Desktop protection measures include typical anti-virus software, firewalls, spam filters, and spyware detection. While these methods are useful in protecting users from certain phishing risks, they can be expensive, require monthly subscriptions and software updates, and can be complex and difficult to manage. Controlling a user's email, such as blocking attachments, de-activating HTML, and scanning for spam and viruses can be useful since most phishing attacks come through spam and email. Email can also be digitally signed to verify the integrity and authenticity of email messages. However, email controls have limited success, do not block other sources of phishing or pharming, obfuscate the readability of HTML-based emails, may not support S/MIME digital signatures on certain types of web-based email systems, and may not be useful to users for checking certificate revocation status. Browser controls may also be manipulated to disable pop-ups, ActiveX, Java, and other scripts and cookies. These methods, however, decrease the browser's functionality and are not easy for consumers to understand or implement. Finally, improving customer awareness can be used to educate users about phishing attacks and how to avoid them. Unfortunately, this results in information overload while at the same time phisher develop new fraudulent techniqes to confuse end users.
On the server-side, protection against phishing can be afforded by custom web application security. A key security concern revolves around increasingly sophisticated cross-site scripting vulnerabilities. These cross-site scripting vulnerabilities often escape other client-side protection strategies due to inherent trust relationships between the customer and the website owner, resulting in highly successful, and undetectable, attacks. Custom web application security can be implemented by safe session handling, qualifying URL links, providing multiple methods of customer authentication, and image regulation. While these methods are robust, they require skilled developers, must be subjected to extensive testing, and require significant overhead and processing resources.
On the enterprise level, methods for protecting against phishing include mail server authentication, such as sending email over an encrypted SSL/TLS link through the use of Secure SMTP. This method, though, is still spoofable, does not allow for email forwarding processes, and is not common. Domain monitoring can also be used, but requires corporate vigilance and monitoring of its domain names, and similar names.
Finally, other methods for ensuring the authenticity and integrity of websites include the use of SSL certificates to create encrypted sessions. When a website owner uses an SSL certificate with a website, the browser displays a padlock or other security symbol in one of its toolbars. The toolbar represents that an encrypted session is established. By clicking on the padlock, the user can access information relating to the authenticity of the website. This information can be useful, but it is often difficult for a consumer to understand. Furthermore, the display of the padlock is controlled by the browser, and may not be noticed by a user.
In other methods, the user downloads an anti-phishing toolbar that displays authenticity and security information, such as what domain is authenticated by any associated digital certificates. This method, however, requires a user to download the toolbar application, which consumers may be reluctant to do since there are myriads of toolbar downloads that contain spy-ware or ad-ware.
Finally, a website owner may attach a site-seal to the website, showing that the site has been authenticated. While some site-seals provide security and assurance information when double-clicked or moused-over, the site seals usually are not very conspicuous, and usually must be placed at the bottom of a web page where there is white space. Thus, a user may not see the site-seal unless he or she scrolls to the bottom of the page.
Many other methods for guarding against phishing and pharming are described in detail in the publication: The Phishing Guide: Understanding & Preventing Phishing Attacks, written by Gunter Ollmann and published by NGS-NISR (Next Generation Security Software Ltd.) in September, 2004, the contents of which are incorporated herein by reference in its entirety.